Revision of the Federal Data Protection Act

Subsequent to two parliamentary motions, the Swiss government submitted a position paper (this procedure is known in Switzerland as a "message") to the two chambers of Parliament. In it, the Swiss government sets out its intention to revise the Data Protection Act (FADP) and to accede to the additional protocol on the convention for the protection of individuals with regard to automatic processing of personal data. The two draft bills are currently the subject of parliamentary debate.

On 19 February 2003, the Federal Council submitted to Parliament a draft bill modifying the Data Protection Act as well as a decision on the accession of Switzerland to the additional protocol of 8 November 2001 to the convention for the protection of individuals with regard to the automatic processing of personal data. Particular reference was made to the role of the supervisory authorities and the cross-border transmission of data (BBI 2003 2101) [see also 10th Annual Report, 2002/2003, Section 1.1]. It did so in reaction to motion number 98.3529 of the Control Committee of the Council of States (upper chamber of Parliament) "Increased protection for personal data in online transactions", and motion 00.3000 of the Committee for Legal Affairs of the Council of States "Increased transparency during the collection of personal data".
During the 2004 spring session of Parliament, the National Council (lower chamber) announced its willingness to discuss the issues, but referred the bill back to the Federal Council asking it to come up with a somewhat less ambitious project. A majority felt that the government's draft bill went much further than the two parliamentary motions, arguing that the motions and the changes required for the ratification of the additional protocol sufficed. The Council of States, on the other hand, felt that the draft bill could be discussed by the appropriate parliamentary committee. Finally the lower chamber also endorsed this position, and as a result the Committee for Legal Affairs will be able to begin debating the issues.
We welcome this decision as it avoids any further delays. By and large we approve the draft revision of the FADP and the ratification of the additional protocol. That being said, we would have preferred a more far-reaching revision and closer harmonization with European law. It is our conviction that it would be best to proceed in stages. The Federal Council's draft bill must be seen as a response to the two parliamentary motions and is a precondition for the ratification of the additional protocol. The scope of the bill is limited and covers just the salient points. Most of the provisions are a direct transposition of the two motions (transparency, the rights of data subjects, notification of data collections, supervisory role of the Swiss Federal Data Protection Commissioner, processing requiring a specific mandate, etc.). and of the ratification of the additional protocol (cross-border data flows, the right of the Data Protection Commissioner to lodge a complaint, supervisory role of the Data Protection Commissioner). The revision also reflects the results of the consultation process in which all interested parties have an opportunity to present their views on proposed legislation. We believe that the adoption of a certification process and a data protection quality label were particularly inspired ideas because they enhance the independence and responsibility of data collection owners and promote self-regulation. On the other hand, we still have reservations with regard to the regulations applicable to the pilot projects. We hope that this issue will be addressed during the discussions.

One of the most criticized points in the draft concerns the information duty. There is a fear that this requirement might go too far and create an additional burden for the administration. The draft bill stipulates that the data subject must be given exact information about the processing of any particularly sensitive personal data and personality profiles, as required by the motion of the Committee for Legal Affairs of the Council of States. Furthermore, the draft bill insists that the collection of personal data and the purpose of the data processing should be clearly understood by the data subject. This gives teeth to the principle of "acting in good faith" and reflects the interest of data subjects in obtaining a minimum level of transparency with regard to the collection of data classified as non-sensitive. Transparency should not increase costs unduly, and again the principle of proportionality applies. Detailed information is not required for each individual collection of data. The form and content of the information depend on various criteria, in particular the purpose of the processing, the processing methods, the circumstances of the processing, and the information that is already in the possession of the data subject. The information may be provided in a general form (i.e. a publication, internet, general terms and conditions, standardized information, etc.). Many companies today already adhere to the transparency principle.
Transparency is not only good for the data subject, but also for the economy as a whole. Parliament has already recognized the need for transparency in other areas and has taken this into account in the revision of the Insurance Policy Act, which imposes an information duty in connection with the processing of personal data. We do not accept the criticism that the duty to inform is excessively expensive and that data subjects are not really interested in their data in any case, given that so few people actually exercise their right to information. Citizens contact us every day to inquire about their rights and to get information about the processing of their data. Often, citizens do not know who is involved in the processing of their data and what their rights are. In many cases, they have far too much respect for the owners of data collections and therefore, they tend to hold back from launching what they believe is a cumbersome procedure. Countries that have equivalent data protection legislation also recognize the principle of transparency. The duty to inform is accepted by data controllers and is taken for granted. It is also much better for companies and economic operators to be able to deal with informed customers. Moreover, transparency increases trust between companies and their clientele.

The draft revision has also provoked some criticism insofar as the supervisory role of the Swiss Federal Data Protection Commissioner in the private sector is concerned. The fear is that the SDPC could interfere in every individual case. However, such an interpretation goes against both the spirit and the letter of the proposals that have been made. What is more, the SDPC does not have the resources to do so. Although it is true that the proposed amendments would simplify the notification procedure for data collections, they do not extend the SDPC's authority. Even as things stand today, the SDPC has the right to intervene in cases where highly sensitive data or personality profiles are being processed. Individual citizens often do not have the resources to institute proceedings. In cases where there is a real risk that the personality rights of an individual may be infringed, the SDPC must have the authority to intervene. The processing of particularly sensitive data or personality profiles which affect a large number of people falls into this category.

[July 2005]